Harden-Windows-Security icon indicating copy to clipboard operation
Harden-Windows-Security copied to clipboard
Published 3 weeks ago verified publisher icon HotCakeX

[Suggestion]: Make more pages available for unelevated sessions

Open JeffsRealm opened this issue 2 months ago • 3 comments

Are you sure the Security measure is not already implemented?

  • [x] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

So when trying the application out. To simply create a policy? It requires you restart the app as admin? Again Why your just creating an XML file, I can totally understand if your applying the changes etc. But to just create the file? Yeah once I figured out it is keeping them in the program files, then I got why.

I hit create policy and well it created the policy. Where? I want to validate the policy, I also want to back them up. Compare differences etc. This way I can revert to older policies as needed. One of the things we do in corporate environment is we keep all out intune scripts, policies, and Applocker configurations in our own Bitlocker. This way we can all see what has changed, revert, etc in case. So I kind of want to be in control of where my files are saved.

Anyway I had no idea where this even saved the files. Luckily the logs gave me an idea they were in Program Files. Which is really a bad location to store them you need Admin access to save and edit files here. If you allow users to specify a location this would be a much better option, You would also not need to run the app as administrator. I find the easy access to apply the policy dangerous. I never hit it, as we will always deploy uploading the XML to intune. But being the app is running as Admin, could brick a machine with the click of a mouse.

Just a suggestion really the only thing you should ever need to be an admin for is to apply the policy. Everything else should be able to be done as a regular user. This would make the app way more secure.

JeffsRealm avatar Oct 21 '25 16:10 JeffsRealm

You can read the reasons behind the way the app works at the moment: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager

The same document explains where the files are saved to.

You can't accidentally deploy a policy by a click, the deploy button is not a normal button, it's a toggle button. Additionally, deploying the template policies will still allow the OS to load, they can just prevent 3rd party apps or drivers from loading if there isn't a supplemental policy allowing them.

When a policy is created, it offers quick options to open it in file editor, policy editor etc.

HotCakeX avatar Oct 21 '25 17:10 HotCakeX

Additionally, deploying the template policies will still allow the OS to load, they can just prevent 3rd party apps or drivers from loading if there isn't a supplemental policy allowing them.

Oh no, you can brick a system very easily. Trust me I have done it and many other people are reporting doing it. Blocking one driver can cause blue screen at bootup. That's actually what blue screen is. https://www.youtube.com/watch?v=KgqJJECQQH0

Me personally, I would rather be more secure than fast. Being this is an app for security.... Just saying we all ready know running as admin unnecessarily is only a matter of time before you get bad mojo.

JeffsRealm avatar Oct 21 '25 20:10 JeffsRealm

Thank you @JeffsRealm

Just to give an update, I'm planning on fixing this completely by making the app no longer needing to write to a directory for most of its operations, it's going to take a while but it will lead to what you asked for which is making more pages and features available when the app is not running as admin.

HotCakeX avatar Nov 07 '25 20:11 HotCakeX